aiwg/dist/agentic/code/frameworks/sdlc-complete/src/security/security-validator.d.ts

Deployment tool and support utility for AI context. Copies agents, skills, commands, rules, and behaviors into the paths each AI platform reads (Claude Code, Codex, Copilot, Cursor, Warp, OpenClaw, and 6 more) so one source of truth works across 10 platfo

/**
 * SecurityValidator - Comprehensive security validation system
 *
 * Enforces:
 * - NFR-SEC-001: Zero external API calls (100% offline operation)
 * - NFR-SEC-002: 100% rollback safety
 * - NFR-SEC-003: File permissions validation (644/755)
 * - NFR-SEC-004: 100% secret detection
 * - NFR-SEC-PERF-001: Security scan <10s for 100 files
 *
 * Features:
 * - External API call detection with whitelist support
 * - Secret detection (API keys, passwords, tokens, private keys)
 * - File permission validation
 * - Dependency vulnerability scanning
 * - Security gate enforcement for Construction/Production phases
 */
export type SecurityIssueSeverity = 'critical' | 'high' | 'medium' | 'low';
export type SecurityIssueCategory = 'external-api-call' | 'secret-exposure' | 'file-permission' | 'vulnerability' | 'insecure-dependency';
export interface SecurityIssue {
    severity: SecurityIssueSeverity;
    category: SecurityIssueCategory;
    file: string;
    lineNumber?: number;
    description: string;
    recommendation: string;
    cve?: string;
}
export interface SecurityScanResult {
    passed: boolean;
    issues: SecurityIssue[];
    summary: {
        critical: number;
        high: number;
        medium: number;
        low: number;
    };
    checkedFiles: number;
    scanDuration: number;
}
export interface DetectedSecret {
    type: 'api-key' | 'password' | 'token' | 'private-key' | 'credential';
    file: string;
    lineNumber: number;
    snippet: string;
    confidence: number;
}
export interface SecretDetectionResult {
    foundSecrets: boolean;
    secrets: DetectedSecret[];
    falsePositiveRate: number;
}
export interface ExternalAPICall {
    file: string;
    lineNumber: number;
    url: string;
    method: 'fetch' | 'axios' | 'http' | 'https' | 'XMLHttpRequest';
    reason: string;
}
export interface PermissionViolation {
    file: string;
    actual: string;
    expected: string;
    reason: string;
}
export interface PermissionValidationResult {
    passed: boolean;
    violations: PermissionViolation[];
    checkedFiles: number;
}
export interface DependencyVulnerability {
    package: string;
    version: string;
    severity: SecurityIssueSeverity;
    cve?: string;
    description: string;
    recommendation: string;
}
export interface DependencyScanResult {
    vulnerabilities: DependencyVulnerability[];
    passed: boolean;
}
export interface VulnerabilityReport {
    dependencies: DependencyScanResult;
    summary: {
        critical: number;
        high: number;
        medium: number;
        low: number;
    };
}
export interface GateEnforcementResult {
    passed: boolean;
    gate: 'construction' | 'production';
    blockingIssues: SecurityIssue[];
    warnings: SecurityIssue[];
    timestamp: string;
}
export interface SecurityConfig {
    excludePaths?: string[];
    customWhitelist?: RegExp[];
    permissionRules?: Record<string, string>;
    failOnWarnings?: boolean;
}
export interface ScanOptions {
    checkExternalAPIs?: boolean;
    checkSecrets?: boolean;
    checkPermissions?: boolean;
    checkDependencies?: boolean;
    parallel?: boolean;
}
export declare class SecurityValidator {
    private projectPath;
    private config;
    constructor(projectPath: string, config?: SecurityConfig);
    /**
     * Comprehensive security scan
     */
    scan(options?: ScanOptions): Promise<SecurityScanResult>;
    /**
     * Scan single file for security issues
     */
    scanFile(filePath: string): Promise<SecurityIssue[]>;
    /**
     * Scan directory recursively
     */
    scanDirectory(dirPath: string, recursive?: boolean): Promise<SecurityScanResult>;
    /**
     * Detect external API calls in code path
     */
    detectExternalAPICalls(codePath: string): Promise<ExternalAPICall[]>;
    /**
     * Detect external API calls in content string
     */
    private detectExternalAPICallsInContent;
    /**
     * Validate offline operation (no external API calls)
     */
    validateOfflineOperation(codePath: string): Promise<boolean>;
    /**
     * Check if API URL is whitelisted
     */
    isWhitelistedAPI(url: string): boolean;
    /**
     * Detect secrets in files
     */
    detectSecrets(files: string[]): Promise<SecretDetectionResult>;
    /**
     * Detect secrets in single file
     */
    detectSecretsInFile(filePath: string): Promise<DetectedSecret[]>;
    /**
     * Validate no secrets committed
     */
    validateNoSecretsCommitted(): Promise<boolean>;
    /**
     * Categorize secret type
     */
    private categorizeSecret;
    /**
     * Mask secret value for display
     */
    private maskSecret;
    /**
     * Validate file permissions in directory
     */
    validateFilePermissions(dirPath: string): Promise<PermissionValidationResult>;
    /**
     * Check single file permission
     */
    checkPermission(filePath: string, expected: string): Promise<boolean>;
    /**
     * Fix file permissions
     */
    fixPermissions(filePath: string, target: string): Promise<void>;
    /**
     * Check file permission and return issue if invalid
     */
    private checkFilePermission;
    /**
     * Get expected permission for file
     */
    private getExpectedPermission;
    /**
     * Scan dependencies for vulnerabilities
     */
    scanDependencies(): Promise<DependencyScanResult>;
    /**
     * Check for known vulnerabilities
     */
    checkKnownVulnerabilities(): Promise<VulnerabilityReport>;
    /**
     * Enforce security gate (auto-detect phase)
     */
    enforceSecurityGate(): Promise<GateEnforcementResult>;
    /**
     * Validate Construction gate
     *
     * Requirements:
     * - Zero critical security issues
     * - Zero external API calls (except whitelisted)
     * - Zero committed secrets
     * - All file permissions valid
     */
    validateConstructionGate(): Promise<boolean>;
    /**
     * Validate Production gate (stricter)
     *
     * Requirements:
     * - Zero critical or high security issues
     * - Zero external API calls (except whitelisted)
     * - Zero committed secrets
     * - All file permissions valid
     * - All dependencies patched
     */
    validateProductionGate(): Promise<boolean>;
    /**
     * Generate security report
     */
    generateSecurityReport(): Promise<string>;
    /**
     * Export report in different formats
     */
    exportReport(format: 'markdown' | 'json' | 'html'): Promise<string>;
    /**
     * Generate remediation plan
     */
    generateRemediationPlan(issues: SecurityIssue[]): Promise<string>;
    /**
     * Get files to scan
     */
    private getFilesToScan;
    /**
     * Find line number from string index
     */
    private findLineNumber;
    /**
     * Group issues by category
     */
    private groupIssuesByCategory;
    /**
     * Generate HTML report
     */
    private generateHTMLReport;
    /**
     * Check external APIs in multiple files
     */
    private checkExternalAPIsInFiles;
    /**
     * Check secrets in multiple files
     */
    private checkSecretsInFiles;
    /**
     * Check permissions in multiple files
     */
    private checkPermissionsInFiles;
    /**
     * Check dependencies issues
     */
    private checkDependenciesIssues;
}
//# sourceMappingURL=security-validator.d.ts.map